You asked, we listened!
In an effort to improve and enhance your experience using Azure ATP, you can now set alert exclusions that include users, along with other entities such as IP addresses, subnets and computers.
For example, for the “Remote code execution attempt” detection, you can set an exclusion that is based on either a list of machines or an administrative account that is privileged to perform such activities.
User based exclusions were added to the following alerts:
- Suspected DCSync attack (replication of directory services)
- User and Group membership reconnaissance (SAMR)
- Suspicious service creation
- User and IP Address Reconnaissance (SMB)
- Remote code execution attempt
Stay tuned for additional alerts and updates. As always, your feedback is welcome.
Hi @Tali Ash
We have a proxy service running, with service account svc-proxy, on server DTxxxxxxxx02
These activities generates “User and IP address reconnaissance (SMB)” alerts.
We do not want future alerts.
We added the svc-proxy to user exclusion “User and IP address reconnaissance (SMB)”
After we closed the alert, we still get alerts "An actor on DTxxxxxxxx02 enumerated SMB sessions on..."
In the evidence details it shows An actor = svc-proxy
Why do we still get these alerts after we excluded the user?
It seems the user only based exclusion for alerts is not working...
Remark: if we exclude both the user "svc-proxy" and computer "DTxxxxxxxx02" it works fine, no more alerts. But we don't want to exclude the computer too.
